[65627] in North American Network Operators' Group
Re: MTU path discovery and IPSec
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Dec 3 18:33:37 2003
Date: Wed, 03 Dec 2003 15:32:43 -0800
From: Owen DeLong <owen@delong.com>
To: Valdis.Kletnieks@vt.edu, jgraun@comcast.net
Cc: nanog@merit.edu
In-Reply-To: <200312031639.hB3Gd9sL008142@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
--==========764E3F108C8FE05E56F3==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
--On Wednesday, December 3, 2003 11:39 AM -0500 Valdis.Kletnieks@vt.edu=20
wrote:
> On Wed, 03 Dec 2003 16:05:39 GMT, jgraun@comcast.net said:
>
>> 1) I assume MTU path discovery has to been in enabled on each router in
>> the path in order for it work correctly?!
>
> Actually, no. All that's required is that:
>
> a) The router handle the case of a too-large packet with the DF bit set =
by
> sending back an ICMP 'Dest Unreachable - Frag Needed' packet. I've never
> actually encountered a router that didn't get this part right. (Has
> anybody ever seen a router botch this, *other* than a config error
> covered in (b) below?)
>
When you consider that most firewalls are technically routers (albeit
somewhat pathological routers), yes... Many firewalls fail to send back
the ICMP and silently drop the DF packet.
> b) said ICMP makes it back to the originating machine. This is where all
> the operational breakage I've ever seen on PMTU Discovery comes from. And
> in almost all cases, one of two things is at fault. Either some bonehead
> firewall admin is "blocking all ICMP for security" (fixable by
> reconfiguring the firewall to let ICMP Frag Needed error messages
> through), or some bonehead network provider numbered their
> point-to-points from 1918 space and the ICMP gets ingress/egress filtered
> (this one is usually not fixable except with a baseball bat).
>
Yep... Those are definitely the most common PMTU-D problems.
Owen
--=20
If it wasn't crypto-signed, it probably didn't come from me.
--==========764E3F108C8FE05E56F3==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQE/znKfn5zKWQ/iqj0RAvK3AJ93txXYhHZqPGBr5ZuQkxlvFR5fsgCfV6V1
wfu81R1xj3s+n4RB6f2H2Ow=
=H6eh
-----END PGP SIGNATURE-----
--==========764E3F108C8FE05E56F3==========--
